Google SSO

Single sign on using the user's Google identification is in the sole domain of the IAM system and has nothing to do with the CUE User Manager integration. If the IAM system is set up to use Google OIDC login , it will do so regardless of what CUE User Manager tells it.

That said, many IAMs, like Gluu, will support users logging in using either an AD user or a Google user. This means it's possible to separate users, for instance, having in-house editorial users in Active Directory, while freelancers use their Google login.

When the user logs in through Google SSO, a (shadow) user is created inside the IAM system with a link to the Google identity, e.g. in Gluu, the LDAP entry for the user logged in over Google OIDC contains an attribute like oxExternalId=gplus:4112343241234. Before this user can do anything in CUE User Manager it must be assigned groups matching the newsroom publication mapping configuration that you've configured in /etc/escenic/user-manager/user-manager.yaml. CUE User Manager uses this to create the appropriate user in CUE Content Store with roles granting it permissions to do something. How these groups are added is in the realm of the IAM system. Preferably, the IAM system allows the integrator to hook onto the IAM system's user creation process and add the necessary groups immediately after the user logs in through Google, ensuring a smooth single sign on experience.